In 2017, millions of users have been affected by major data security breaches at companies using Amazon Web Services Simple Storage Service – the popular cloud storage and service platform better known as AWS S3.
When high-profile issues happen on the Web, it’s common to look for outside culprits. However, the pattern has been different with Amazon S3: User error has been a major driver behind many of the most significant security events.
This comes in two forms:
- Developers making configuration changes causing their S3 “bucket” to become publicly visible, thus exposing their bucket URL and making it easier for antagonists to gain control of their cloud resources;
- Senior executives failing to understand the relationship between Amazon infrastructure and their security practices – e.g., believing their usage of Amazon services externalizes responsibility for security.
Whatever the problem’s origins, Amazon S3 has been associated with some of the most serious data security crises of 2017. Global enterprises have come up short in efforts to safely harness cloud services, suggesting a reappraisal of security practices is needed.
Some examples include:
Verizon saw data for up to 16 million users leaked online. IT partner NICE Systems, an Israeli-based data security firm, failed to limit external access to a sensitive S3 server. As a result, hackers may have data enabling them to pose as Verizon customers when using phone support.
In an embarrassing blunder, Viacom misconfigured an S3 bucket containing a treasure trove of its most sensitive IT data. A set of 72 compressed files on an S3 server contained what appeared to be a backup for the company’s global IT operations, including passwords and encryption keys.
Time Warner subsidiary Time Warner Cable exposed 4 million subscriber records when a contractor failed to secure an Amazon cloud database. Seven years worth of data become publicly accessible, including addresses, contact phone numbers, and account information.
The repercussions are tremendous. Through no fault of their own, customers may be at risk of identity theft for years to come after a cloud platform breach. This erodes confidence in the brands thus exposed, potentially sparking millions in lost business. Compliance liability can also be created in the most serious cases.
How to Fix AWS S3 Risks and Reduce Leaks
Amazon S3 represents an opportunity to leverage world-class cloud architecture. However, enterprises must recognize that retaining Amazon as a cloud partner does not, in and of itself, take care of their security requirements.
Although Amazon proactively monitors its infrastructure and resolves systemic issues, security experts on the client side must guard against unintentional misuse of the service. There are a few things you can do.
Know Where Your Sensitive Data Is
Third-party tools can be used to enact data loss prevention across Infrastructure-as-a-Service platforms, including AWS S3. DLP policies can process automatically based on identifiers, keywords, and data fingerprints. S3 buckets containing sensitive data should be identified and buckets that have been configured for public access should be monitored.
Audit Your Security Configuration in AWS
Amazon Web Services includes a wide range of data security tools. Many third-party enterprises offer a security configuration dashboard that can consolidate and track the dozens of AWS security settings that can lead to unintentional public access. Security experts should audit the enterprise AWS posture on a regular basis to proactively remediate security holes.
Encrypt your data: AWS Guide on How to Encrypt Your Data
Monitor Your AWS S3 Buckets access: Activate Server Access Logging
AWS S3 is a powerful tool. Human error – rather than external antagonists – remains the biggest challenge in using it. By scrupulously employing a few simple best practices, you’ll significantly reduce the likelihood of data security problems.